In the previous article, the first 2 steps related to the device lifecycle have been reported; in this second part, we will go into the last steps concerning the securing of the devices, the support and the eventual withdrawal in the face of the decommissioning of the device.
Protect
Device protection aims to prevent corporate devices from exposing the network and corporate information to a wide range of threats. Let’s see how I can protect my corporate information through Microsoft Intune.
Obviously everything we have seen in the previous article would have little use without being sure that the configurations set have been correctly applied on the endpoints.
Through the use of Compliance Policies, I can define the rules or criteria at the device level that determine whether my device complies with the corporate policies in terms of security.
I can use these policies in conjunction with the Conditional Access rules to protect access to corporate resources from devices that are not compliant and therefore potentially vulnerable; moreover, through the reports provided, with the compliance policies, it also has the possibility of monitoring and resolving any situations of discrepancy with respect to what I have defined.
On Android devices I have the possibility to check the following characteristics:
- Device Configuration: through these policies I have the possibility to verify that my devices have correctly applied the appropriate configurations such as for example PIN request, encryption, root identification, etc…
- OS features: to block access to resources by obsolete operating systems, it is possible to check the minimum/maximum version of the OS; moreover it is possible to verify that the OS is intact through the check on SafetyNet attestation.
- App security installed: with the compliance policy, it is possible to verify not only the integrity of the operating system but also the integrity of the installed applications and if these appear to have been installed from unknown sources.
- Threat level: compliance policies allow you to verify if a device is at a certain threat level assessed by threat defense solutions such as Microsoft Defender for Endpoint.
As noted earlier, companies still need to deal with situations where employees use their own personal devices to access corporate resources. Not being able to manage the device, through Microsoft Intune, I have the possibility to govern the application protection features.
Through the App Protection Policies they are able to ensure that the corporate data residing within the managed app remain secure; a fundamental aspect is that these policies can also be applied to Android devices not registered on Microsoft Intune with the only constraint that the Company Portal application is present on the device.
Let’s see what are the rules that I can apply through these policies:
- As a first aspect, it is important to underline how these rules can only be applied to company accounts; therefore any personal or unmanaged accounts are not subject to this type of policy.
- With App Protection Policies, I have the ability to encrypt the content in the app and inhibit the transfer of information from a version-managed app to an unmanaged app (for example, I have the ability to inhibit copy-paste from an app like Word to a social network).
- I have the option of requesting a PIN or credentials in order to access the managed application; this allows you to protect the information if it is accessed from devices not managed by your organization.
- Finally, I have the option to authorize or block the launch of the managed app based on certain conditions: such as if the device has been subject to Rootkit or if a certain version of the OS is running.
Another fundamental aspect to take into consideration when you want to protect a device is certainly to provide for the management of updates; through the Device Restriction Policies, you have the ability to manage updates to Android devices; compared to what is possible on iOS, with these policies it is only possible to define when to apply the update, which can take place in the following ways:
- Automatic: updates (as soon as they are available) are installed automatically without iteration with the user.
- Deferred: Updates are delayed for 30 days. On day 30, Android will notify the user that they need to install the update.
- Maintenance Window: Updates are installed within a defined daily Maintenance Windows. If after 30 days the device has not been able to update, Android will notify the user to install the update. This window will also be used by the system to update the apps.
If you want to promptly manage this feature, you can integrate Microsoft Intune with the Samsung E-FOTA solution which allows you to manage updates in a more granular and specific way.
Support and Retire
The last step in the life cycle of the devices consists in the support and eventual decommissioning of the endpoints.
Regarding support, through Microsoft Intune, at the moment I have the possibility to perform Remote Assistance through Microsoft Teams or through the integration between Microsoft Intune and TeamViewer.
Announced during last Ignite, the Remote Help functionality will also be available on Android devices; this feature will be part of the new Advanced Endpoint Management suite and will be available for Android devices enrolled in Dedicated mode.
At the moment, the solution with the TeamViewer connector is the most complete in terms of features made available for remote control such as access in unattended mode or the execution of remote commands.
Regarding support, through the portal, I have the possibility to provide Help Desk operators or IT administrators with tools to perform remote actions on devices such as:
| Action | Supported scenario | |
|---|---|---|
| Sync | Forces the selected device to immediately check in with Intune | Android Enterprise personally-owned with work profile |
| Send custom notification | Send standard push notifications from the Company Portal app and from the Microsoft Intune app on a user’s device | All Android scenarios |
| Remote Lock | Forces lock the device | All Android scenarios |
| Reset passcode | Resets the passcode for the entire device or work profile passcode | Android Enterprise dedicated devices – Android Enterprise Corporate-owned with work profile (only work profile passcode) Android 6.x or earlier |
| Restart | Forces the selected device to restart (within 5 minutes) | Android Enterprise dedicated devices – Fully Managed – Corporate-owned with work profile |
| Play lost device sound | Trigger the device to play an alert sound | Android Enterprise dedicated devices – Fully Managed – Corporate-owned with work profile |
| Locate device | Display its last known location (uses data submitted by the device when it checks in with Intune) | Android Enterprise dedicated devices |
Finally, if it is necessary to decommission the device, we have the possibility to remove it from Intune and start a complete wipe of the Android device based on the registration mode; this process allows you to remove corporate information and configurations or to completely format the device remotely.
The Wipe action restores the device to the factory settings, removing the settings and all the data present both corporate and personal. This action is not available on personal devices.
The Retire action removes all the configurations and apps deployed from Intune while maintaining the user’s personal data; also, the device will be removed from Intune at the first check-in.
The Delete action is similar to the Retire action with the only difference that the device is immediately removed from Intune.
Small tip: before removing a user from Azure Active Directory, it is necessary to perform the Retire or Delete on all registered devices; if the user is removed first, Intune will no longer be able to delete or retire the associated devices to the removed user.
References
Here are some useful references to the official documents:
- Use compliance policies to set rules for devices you manage with Intune
- Android app protection policy settings in Microsoft Intune
- Use TeamViewer to remotely administer Intune devices
Conclusions
In these two articles, we have seen how through the Microsoft Intune solution it is possible to manage the entire life cycle of Android devices in a simple and centralized way.
Enterprise Mobility Blog 